rvlsoft - Fotolia
Securing virtual machine instances and containers can be a struggle both internally and in the cloud. Many security teams have looked to implement new controls and processes that might help lock them down.
In the cloud, this has been complicated by a lack of cloud-native tools and access to all the parts of the environment that may normally be leveraged in-house.
New Google cloud security features
The first new Google cloud security feature introduced by GCP is known as shielded VMs. This feature allows customers to enable a virtual Trusted Platform Module -- or vTPM, as Google calls it -- that supports integrity validation for boot processes and the kernel of the VM, as well as logging all the integrity checks with the Google Stackdriver logging and monitoring service. There is no additional charge to use shielded VMs, which makes this a great opportunity to improve the resiliency and security of compute workloads in the Google cloud environment.
GCP also has a number of powerful new features for container deployments. Containers require access to repositories to install and configure software packages. However, there are many known concerns and issues with trust validation and security for repositories and software distribution, particularly in open source environments.
To aid in securing code registries and repositories, GCP now offers the Container Registry, a private registry in which approved Docker images can be stored. The Container Registry comes with access controls, logging and monitoring, and vulnerability scanning for container images, and Google continually updates the malware and vulnerability signatures for the tool to recognize.
The vulnerability scanner APIs can also integrate with other commercial container security tools like Twistlock, Aqua and Black Duck to improve Google cloud security. GCP private registries can integrate with any number of code repositories, such as GitHub and Bitbucket, and the service is available globally for flexible deployment across regions.
What security teams can do
Security teams have been looking more closely at how to lock down and secure the container images used by cloud deployment teams, too. All Docker images should ideally be validated at various stages of the continuous integration and delivery pipeline. The security of the containers should include hardening, patching and monitoring.
For example, the Center for Internet Security (CIS) has a set of excellent guides available for Docker. There is also Docker Bench, which is an open source tool that validates configurations based on CIS benchmark recommendations. However, validating images prior to deployment has been a major headache, particularly when DevOps teams use sophisticated orchestration tools like Kubernetes that many security teams don't have visibility into.
GCP has greatly simplified the validation process for container images in GCP by using another feature called Binary Authorization, which can be used to verify images at deployment time, only allowing authorized and signed images to be pushed into production.
This service is also integrated into the new Container Registry, and it can evaluate vulnerability scanning information from the registry to block images that have high-risk security vulnerabilities. All blocked deployment attempts are logged extensively, and the tool even has a policy-enforced override function for break glass emergency situations.
These new capabilities significantly enhance Google cloud security technology controls with deep integration into automation and orchestration workflows that DevOps and security teams will appreciate.
The goal of any organization deploying VMs and containers in the cloud is to automate and streamline as much as possible, and security needs to be integrated into these development and deployment workflows now more than ever. By providing tools that can securely store container images, as well as evaluate and validate VM and container integrity and security posture, Google is helping development and operations teams to move faster without sacrificing security along the way.